A good friend found out that some hacker had accessed his online accounts. Naturally, he was worried about identity theft and the time it would take to resolve the problem. One way to reduce your risk is by using “two-factor authentication” or 2-FA with a mobile app. This additional layer of security is easier to add than you think, and it’s free.
What is Two Factor Authentication (2FA)?
The name two-factor authentication sounds complex to many users. Chances are you have already used it in some way, but didn’t know it was called that. You might also hear it called “multi-factor authentication.”
Basically, it means that before you can access some service, you need to have 2 different things. These examples might include:
|Something you know||account name, password, email account|
|Something in your possession||security key, application, code|
|Some physical attribute||fingerprint, facial recognition|
When you think of getting cash from your bank ATM, you’re using a similar process. You have to have both your ATM card and your PIN code. The online world can work similarly with a different set of verification codes and an authentication app or physical security key.
Instead of just relying on an account name and password, you can add a second protection level before people get access. This is important when you think of how many times you hear of security breaches from large companies or phishing attacks.
And sometimes breaches happen from our own actions. Maybe you logged into a friend’s computer and forgot to sign out. That’s why it’s a good idea to check what devices are logged into our Google account.
Popular Websites with 2FA
You might be thinking that two-factor authentication is fine, but you don’t have any services that use it. You probably do, but many websites hide this security feature and you have to go through extra layers to find it.
Here are some you might know:
- Epic Games
Most of the above companies are household names, but there are smaller players too. One good way to find 2FA sites is to go to https://2fa.directory/
Josh Davis, an Amazon engineer, started this 2FA directory site. The site offers ways to find sites that use two-factor authentication and additional information. The site is straightforward to use and presents the information in a nice grid.
- There is a search bar at the top where you can enter a service name. As you start typing, the site will show possible matches.
- You can also filter by category. In my example, I’m using the Backup and Sync category.
- Any alerts or exceptions about the company or service.
- A link to that company’s two-step verification documentation.
- An indication of what authentication types the company uses. You’ll also note that you can send a tweet to the company asking them to support 2FA.
Start with an Authentication App
There are many methods you can use for two-factor authentication. Perhaps, the best-known service is Google Authenticator. Most sites that show a check in the Software Token column in the image above should work.
The way these apps work is to provide a one-time password (OTP) that you use to log in to a service in addition to your regular password.
For example, when I use Cloudflare, I sign in as normal with my account name and password. But right after I hit the Login button, I’m greeted with the dialog below since it’s a 2FA-enabled service.
At this point, I switch to my phone’s 2FA app and get authentication codes.
Using Google’s Authenticator
To use 2FA, you will need to install an authentication app on your mobile phone. In the case of Google, it’s available for both Android and Apple.
- Install the Google app from your appropriate store.
- Using Josh’s 2 Factor Auth list site, find your service instructions. Some websites have a separate security section where you may see the activation settings.
- Navigate to the service page and look for a QR Code. You will scan this code with your phone or tablet.
- Google Authenticator will add the service to your phone and provide a one-time password (OTP). In the picture below, my password was 274944. I need to enter this code into the confirmation box before it expires. The small circle represents how much of my 30 seconds are remaining. A new code is generated after that.
- Enter the code from your app into the service’s Confirm Auth Code box. Your service may use different terminology such as “second-factor token‘” etc.
- Your account is now configured to 2FA. From now on, each time you log into your service, you will be prompted to enter a new verification code from your app.
Other 2FA Application Services
There are several alternative apps in case you don’t like Google. They all work similarly in that they generate a time-based one-time password (TOTP) on a mobile device. These include:
For example, I prefer Authy and Microsoft Authenticator. While sites typically reference “Google Authenticator,” you can use your preferred app.
My suggestion is to visit each of these apps to see which one suits your needs. There are subtle differences, such as Authy doesn’t have a circle clock to indicate time but uses a bar at the top. LastPass Authenticator can bypass codes and uses Approve or Deny buttons. And Microsoft’s version allows you to also store passwords.
Hardware Authentication Devices
While many people like the convenience of having a 2FA application on their phone, there are other options. If you’re a long-time PayPal user, you may remember they offered a small gray football-shaped device. When you pressed it, an RSA code was generated in a tiny message display that you entered. Many companies had these RSA tokens as well to give remote workers access to their networks.
A newer addition are hardware keys, such as those made by Yubico or Google’s Titan Security key. These generally work with a USB port or a NFC-enabled phone. These devices are also called hardware tokens.
The device is slipped into an available USB port on your computer. In the case of phones, you would be in the range of the phone. The devices come in a range of sizes but are small. Some people prefer to keep theirs on a keyring.
Caveats & Warnings
Although 2FA is more secure, it’s not bulletproof. This is especially true with SMS. While this is better than nothing, SMS is not secure.
There have been some reports where these text messages were intercepted. Wired magazine had an informative article on this that you should read.
Another downside is that you may not be able to transfer your 2FA information when you get a new phone. The setup process doesn’t take a lot of time, but sometimes you need to take additional steps with the provider to remove the previous setup.
As much as I like 2FA, I have to admit some aspects can “bite you in the butt.” For example, I recently dropped my cell phone and it damaged the phone. The screen had fine cracks starting in the lower-left corner and spread upwards. I lost most functionality including working with my 2FA app. The screen no longer responded to my taps. Fortunately, I had Authy on my iPad and was able to get around the issue.
I also realized some services I use had terrible fallback procedures. Most services will have a backup method so you can get into your account. The typical means include an SMS code or a stored list of backup codes that you enter into the app. However, some services tell you to call customer support. In one case, my provider wanted a notarized letter.
Before you do a factory reset on your cell phone or get a new one, my suggestion is to double-check your services. Where possible, get a copy of the one-time codes you’ll need or set up SMS.
These one-time codes are not the same as one-time passwords, although the concept is similar. These one-time codes are usually alphanumeric and stay active until you use them to log into your service. They don’t expire after 30 seconds. The codes can be used in cases where you don’t have your phone. The downside is you need to place them someplace safe that you can access. And no, printing them out and putting the list under your keyboard is not safe. But many password managers have note fields where you could store the codes.
If you have a provider that doesn’t have a fallback method, I’d suggest deactivating the service until you get the phone working. While it’s OK to keep hackers away, it’s exceedingly frustrating when you’re the one locked out. I might also be inclined to check to see what apps might have access to my Google account.
Although it takes time to set up 2FA with all your services, it’s worth the additional effort. You don’t have to add all of them at once. Start by adding the services that pose the greatest risk. Then, get used to how the login process works and add more accounts as you get comfortable.